Windows Internals for Reverse Engineers by Alex Ionescu

Instructor: Alex Ionescu
Dates: 23-26 June
Capacity: 18 Seats

Learn the internals of the Windows NT kernel architecture, including Windows 8.1 and Server 2012, in order to learn how rootkits, PLA implants, NSA backdoors, and other kernel-mode malware exploit the various system functionalities, mechanisms and data structures to do their dirty work. Also learn how drivers operate and how they can be subject to attack from user-mode callers to elevate their privileges. Finally, learn how CPU architecture deeply ties into OS design, and how Intel and AMD's mistakes can lead to more pwnage.

New Windows 8.1 functionality covering SecureBoot and Code Signing requirements will be introduced, and new Windows 8 kernel features relevant to driver operation and exploitation techniques will be discussed, including an overview of over two dozen new security mitigations that have been added to the operating system. Windows 7 kernel changes will be discussed too, such as the new Object Manager data structures.

After learning the theory, you will use tools such as WinDBG and Process Hacker to analyze, poke, and prod kernel-mode Windows components, as well as write your own drivers and tools. You'll also learn how to use the new Visual Studio 2013 and Windows Driver Kit 8.1 to debug the boot manager, boot loader, and the kernel itself, using a high-speed Ethernet connection.

Finally, you will use all this knowledge to analyze certain pieces of buggy C code with hard-to-spot Windows-kernel-specific bugs, as well as looking at a custom driver to understand its behavior. You'll also learn how to "clean-up" your IDA or HexRays disassembly in order to understand common inline functions that distract from real code.

Attendees will receive a copy of Windows Internals, 6th Edition.

Part 1: WinDBG Zero to Hero
You will be presented with many WinDBG/KD commands, as well as how to write your own scripts and extensions. You'll spend a good few hours learning WinDBG tricks that will save you hours of time and effort, and turn your WinDBG-fu from white belt to WinDBG sensei. You'll also never call it "Win DEE BEE GEE" again.

Part 2: Windows OS and CPU Architecture
You'll be exposed to low-level CPU details such as segmentation and task gates, things you probably thought didn't matter since 1986 anymore, but which still drive core Windows architecture today. Never again will you think [fs:18h] is a magic constant. Both x86 and x64 will be covered, and you'll also learn about how ARM does some of these things and how Windows RT interacts with the ARM chip.

We'll then move our focus toward understanding the behaviour and operation of the Windows Kernel. Core topics such as interrupts, DPCs, APCs, timers, scheduling and memory management will be discussed at the architectural level. You are expected to already be familiar with some of these ideas -- for example, on the topic of memory management, it is not about how to use malloc, but rather about the complexities of and effects of the algorithms used by Windows when managing pages.

A detailed summary of the object manager and ALPC mechanism will also be on the table, as well as the window manager (Win32k.sys) and its data structures/behaviors. We will be using deprecated and unsupported debugger extensions to peer into aspects of Win32k.sys that few have looked at before -- except those that find new kernel vulnerabilities in it by the minute.

You will learn the various data structures used by bookkeeping and internal consistency and management of core system components and objects, such as threads and processes, and how these fields can affect the operation of the system in ways that malicious code can control. A secondary focus will be for forensic purposes -- how to recover system data and state from raw memory information.

Finally, Windows 8 and Windows 8.1 introduce a plethora of new security features, mitigations, and code signing requirements (as well as support for SecureBoot). We'll see how these changes to the architecture have dramatically constrained exploit techniques.

Part 3: Windows Kernel Mode Reverse Engineering, Rootkit Analysis, and Debugging
In the last part of the course, we'll focus on using various techniques and tools to inspect the Windows kernel for consistency, tracing its operation, and editing it, as well as ways in which offensive and defensive attackers can mess with the system's state in unexpected, "clean" ways. Throughout the course, we'll also take a look at several examples of malicious and/or buggy drivers in a given Windows system, as well as architectural bugs over Windows' lifetime.

We'll also use IDA to look at some common kernel inlined macros and their respective C form, to simplify reverse engineering work and move past the noise.

Finally, we will take a look at certain examples of plain C code, that contains well-known bugs, as well as certain harder-to-spot bugs within the specific context of running in a Windows kernel environment.

Class Requirements


IMPORTANT: You should be able to understand x86 assembly to take this course, but knowledge of obfuscation, packing, etc, is not required.

Basic knowledge of Windows, processor architecture, and operating systems is helpful -- you should know what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.

Minimum Software to install:

* You must have a Windows machine to attend, and you should have a version of Visual Studio 2013, as well as the Windows Driver Kit 8.1, which you can freely grab from MSDN. If you really cannot find a way to obtain it, you may contact the conference and a temporary copy for class use will be made available for you.

* A virtual machine (VirtualBox is preferred) is recommended with an installed version of Windows 8.1. Locally, any version of Windows 7 or Windows 8, 32-bit or 64-bit is fine -- you may prefer 32-bit if that is the disassembly you are most familiar with and/or want to use Hexrays. The instructor will use a 64-bit Windows 7 device, a Windows RT ARM device, and a Windows 8.1 32-bit device.

* IDA/Hexrays helpful, but not required.


Alex Ionescu is the Chief Architect at CrowdStrike, Inc. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last two editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as over a few dozen non-security bugs.

Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions. In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.

To Register

Click here to register.